Turns out there is a way. It seems to be a recent addition, as it wasn’t in the 
documentation I looked at originally.

[nss]
allowed_shells = *
shell_fallback = /bin/bash

The semantics of allowed_shells is kind of interesting. 
* any shell in /etc/shells is OK
* any shell is allowed_shells but not in /etc/shells get replaced by the 
fallback
* if allowed_shells isn’t set, any shell is used, even if it doesn’t exist

So setting allowed_shells to * does what you’d want: any shell in /etc/shells 
is OK. Otherwise you getter the fallback.

* as a possible value is relatively new.

This is really what I’d expect default behavior to be if allowed_shells isn’t 
set.


> On Jan 26, 2018, at 8:20 AM, Robbie Harwood via FreeIPA-users 
> <freeipa-users@lists.fedorahosted.org> wrote:
> 
> Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
> writes:
> 
>> Charles Hedrick via FreeIPA-users wrote:
>> 
>>> One of my staff made a typo in his shell in “ipa user-mod —shell” It
>>> can be hard to recover from, since you can’t login.
>>> 
>>> Is there a way to restrict what they can use? Traditionally only
>>> shells in /etc/shells were valid.
>> 
>> There is no way currently.
>> 
>> Note that part of the problem is which /etc/shells to use? Remember
>> that IPA is centralized and users may be using a number of different
>> operating systems. This is why the default shell is /bin/sh, because
>> it is nearly universal.
> 
> At the very least, it would be good to restrict it to /etc/shells on the
> current machine.  Doesn't cover everything, but it's an improvement.
> 
> Thanks,
> --Robbie
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to